Removing Local Admin Privilege using a Script

New Contributor II


I been trying to remove local admin privilege for all users, but with an exception of two Local accounts. I was able to find a script from a previous post. For the most part it works, but one of the local admin account name has spaces in it. So when I run the script it takes in each word as a separate user. For example: if the admin account name is "The Admin" it would run as "The" as one account name and "Admin" as another account name. Not sure why the space is a delimiter. Any help would be appreciated!  


adminUsers=$(dscl . -read Groups/admin GroupMembership | cut -c -18)

for user in $adminUsers
    if [ "$user" != "root" ]  && ( [ "$user" != "The Admin" ] || [ "$user" != "secondAdmin" ] )
        dseditgroup -o edit -d $user -t user admin
        if [ $? = 0 ]; then echo "Removed user $user from admin group"; fi
        echo "Admin user $user left alone"



Valued Contributor II

Spaces are delimeters in a BASH array. You are creating the array adminUsers and then looping through it. if you were to echo $adminUsers you see something like:

root user1 The Admin secondAdmin

To BASH that is 5 different array elements. 

The big question is how do have a username with a space in it? That should not be possible. Are you sure "The Admin" is a username and not a Real Name? 

Also, your cut command in the 2nd line is incorrect. It should cut -c 18- . Otherwise you are getting the first 18 characters. 

New Contributor II

Hello, Thanks for the response!
After doing some digging, a previous person that used to work on Jamf, created this setting in PreStage enrollment where it created a local admin account with spaces in it. And I guess by creating it this way, the username was able to have space in it? 

My worry was that other devices may have different usernames with spaces in it. So if I need to remove admin privilege from it, it wouldn't work. But from what it sounds like, there should be no other accounts with spaces in them, unless it was done by how I mention above.

I thought the - after the 18 means it cut the characters after the 18th character? When I tried the script with the dash after the 18, and I did an echo of the results, it returned with nothing

Contributor III

Could you use the user ID instead? Not that I know if dseditgroup takes GIDs for operations. 

Contributor III

Ignoring the space existing in a username issue the scripting part could be done this way

# by replacing [ with [[ you're able to wildcard the comparison.
# instead of seeing if the username = "The Admin" see if it = *"Admin"*
if [[ "$user" != "root" ]]  && [[ "$user" != *"Admin"* ]] && [[ "$user" != "secondAdmin" ]] ; then